Balancing Act: Merging Cybersecurity and Business Strategies with Sheena Peeters

Sheena Peeters:

And cyber things change so quickly. In business, in digital every day, your world is changing really rapidly.

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. My guest for this episode is Sheena Peeters. After beginning her career as a management consultant, Sheena has worked at a variety of roles within tech and architecture, including founding her own startup and executing large digital transformation strategies for companies like NAB, Australia Post and HESTA. We chat about aligning cybersecurity initiatives with business strategy, fostering a culture of shared responsibility, the challenges of measuring ROI in cybersecurity and plenty more. Sheena is an infectiously positive person. I had such a great time recording our conversation, so whether you’re a veteran of the industry or just starting out, I’m sure you’ll find something valuable in this episode.

Hello, Sheena. How are you going?

Sheena Peeters:

Hi, Cole. I’m doing very well. How are you?

Cole Cornford:

It’s a beautiful day outside. School pickup was amazing. Got to play lots of videogame, music to my daughter while she sit there, just being like, “Why? Why am I being subjected to this?”

Sheena Peeters:

It’s okay. I’ve got teenagers. I subject them to lots of things. I was going for my Australian citizenship exam a couple weeks ago and you can learn the topic for the test. It’s not an exam, it’s a test. And you learn the content via podcasts. And in there is things like the Australian National Anthem and so I subjected my children to school drop-offs to the podcast of our Australian bond cult.

Cole Cornford:

Your kids will be a little bit more interested. There was a period of time where I was listening basically to Sam Harris and Jordan Harbinger every car trip to take my wife to work until eventually she got sick of it and told me to put classical music on. She’s like, “I don’t want to listen about psychedelics and about antidisestablishmentarianism and stuff,” and I’m like, “Okay, fair enough. This is not interesting to you.”

Sheena Peeters:

Oh, I love that. That’s too funny.

Cole Cornford:

Yeah. So as the head of Galah Cyber, I always ask every guest who comes onto the podcast, what kind of bird are you and why?

Sheena Peeters:

Well, okay, I don’t know if I’m this kind of bird, but I have a bird.

Cole Cornford:

Oh, all right.

Sheena Peeters:

Yes, it’s called the pukeko and it’s a bird in New Zealand. I don’t think it’s a native of New Zealand, but we all claim it. As Kiwis, we like to claim things. And what’s really interesting about the pukeko, it’s actually quite a beautiful-looking bird. It’s quite colorful. It’s clumsy. It’s got these long awkward clumsy legs, so it looks a bit like it’s always going to fall over and they’re mischievous. I actually quite like that about them. They go on these potato raids in the farms. I’m sure the farmers don’t like it, but they do a little potato raid. The interesting thing about the pukeko is that it’s really learned to adapt to its environment. So they’re quite flexible, they’re adaptable, they now have learned to live alongside their predators, but they’re also territorial. So they create a territory where they feed and breed and raise their young as a collective.

So they do this like they cooperate and collaborate to protect this territory and that interestingly is the key to their success. So I actually love that story. I think there’s a little bit of meaning in that for all of us around this idea of community and cooperation. Yeah, that’s my bird.

Cole Cornford:

I just looked it up and they’re apparently called it Australasian swamphen as well, but in New Zealand, they’re the pukeko and I love it. I know that bird. I see it all the time because I live near a bunch of creeks, so that bird’s just always having a bit of a stroll around. Haven’t been attacked by one yet. So-

Sheena Peeters:

You’re not a potato maybe, that’s why.

Cole Cornford:

I’m not a potato. I’m not a predator, so-

Sheena Peeters:

They’re very social apparently.

Cole Cornford:

When I was in New Zealand for Kawaiicon last year, I actually went to a place called Zealandia in Wellington and I got to see so many New Zealand birds. It was great. I think my favorite one was this large fat flightless one that was just … I can’t even remember what it’s called. It’s just big fat one and is just walking around on the ground and it’s useless. There definitely wasn’t a kakapo. I know there was also kakas who were flying at my head repeatedly, trying to get chestnuts. It was a great time. I love New Zealand birds.

Sheena Peeters:

My son loves the tui.

Cole Cornford:

The tui, okay. I need to just get … Because I got a copy of Australian birds sitting on my bed, so I can be prepared every day for when someone comes up with a weird bird that I’ve never heard of before, so I can be like, “Oh, what is a boobook?” And I’m like, “Ah, I know what this is.” But we’ve had [inaudible] a few times on this show, which makes it a bit easy for me, but no galah so far.

Sheena Peeters:

No, galah and no pukeko.

Cole Cornford:

No pukeko, yes. So, Sheena, for our audience, would you be able to give us a bit of background about yourself and your career and where you started from?

Sheena Peeters:

Yeah. Look, I love this part of the story. I always reflect on year 10. I did this year 10 work experience. It was a bit random, right? Because I wasn’t really … I didn’t wake up and think, “Oh, I’m going to be in tech,” or, “I’m going to be a nurse,” or, “I’m going to be a teacher.” I didn’t really have a view. And year 10, I ended up at this company that had supercomputers and they did seismic processing under the water. We were creating channels. And this was early stages of the internet where we were laying cable underground. And so this really sparked my interest, and these supercomputers, they did the data processing to predict weather. And I guess it was my first foray into technology solving real problems and really sparked my curiosity around this.

Now, when I talk about supercomputers, I’m young enough to remember that there were physical machines that stood like seven, eight foot high and took up just reams of warehouse space. Now, there’s somewhere in the cloud, Cole.

Cole Cornford:

Yes, the cloud. I’ve heard of that concept.

Sheena Peeters:

Have you heard of that thing? So that really sparked my interest and I think that, if I think about my career journey, that’s been the core essence. I love solving problems and so I tend to be drawn to and attracted to, particularly in technology, this idea that we can solve problems through technology, through engagement with people, through change. So from there, I went on, I actually did a degree in technology. Different people have had different mechanisms by which they’ve come in and I think you and I were talking about a friend of mine who was a science teacher once who now works in technology.

And I started my career in consulting, which was actually a really great place to start because it gave me a real variety around solving problems. I got to see a lot of different organizations, a lot of different types of problems that we’re solving. But what really harnessed my, I guess, skills in the space, particularly around innovation and transformation, was when I owned my own business. So the irony is that whilst I owned my own business in manufacturing and distribution of products, it was really early days of Twitter and the internet, the idea of selling concepts of eCommerce and conversational commerce. And so as a small business, to shift away from relying just on bricks and mortar and to be able to create a conversation around my product directly through that relationship with the customer or the end user was actually something I really explored.

And I think, since then, my career has taken me through some of the largest organizations in Australia, I’ve had the luxury of working with just some incredible people, but some of those core foundations I think have always driven me that idea of curiosity and solving problems, that idea of looking forward. I remember I was a distributor at the time, but with every small business in your early days, cashflow is your biggest problem you’re working with. You can only go as far as the money you bring in. And so I had this real challenge, this real fork in the road where bricks and mortar was where we were really heavily invested in as a community, but I could get quick money by reaching directly into a broad consumer base through this idea of the internet and this idea of ecommerce.

And so I was constantly making these calls about, “Well, this is what’s expected, but here’s something that I could investigate. Here’s something I could try.” I remember one of my retailers saying, “Oh, it’s not good how you go directly to retailers or customers over the internet, right? Because that’s disenfranchising me.” But I think that, in my career, I always reflect on that story and that fork in the road because I think it’s where innovation starts to happen, when you test something and when you try something and when you take some risks.

Cole Cornford:

Yeah, I think absolutely spot on about that. It’s a lot to unpack. I was going to say New Zealand’s pretty well known for all of the earthquakes, so it’s a pretty good place to start out there. And yeah, I do agree with consulting as well. I started out myself just going into permanent positions and basically education and manufacturing and eventually government and banking. I only really started doing consulting when I started my own business and it’s been a fun journey having not been a consultant previously and just being like, “Oh, yeah, everything will be great. I know how to be a consultant. I just got to solve problems, right?” No, it’s a little bit more complicated than that, but you got to iterate and ideate and try stuff, right?

And I do love that as a graduate, if you can go into a bank and then an airline and then a healthcare institution and see what all the different issues. That exposure to lots of different businesses is really valuable. I know a lot of people who just stay in the one place for a long time and they have a worldview that’s centered around that. And owning a business as well, obviously, I run my own company and I agree 100% about the cashflow thing. I had a period of time where my values were dictating a lot of the decisions I would make with my business because they’re in the middle of a boom period. There’s a lot of opportunity for the people who were software security specialists and then obviously things flipped around a bit. And now it’s like, “Oh, actually, I shouldn’t have just been using that money on stupid stuff.”

So now I’m a lot more aware of these cashflow scenarios and marketing and sales and all of these other things that actually I used to actually run a business, and because of that, it’s made me a lot better at consulting and about listening to people and solving problems. But it goes back to … I love that curiosity statement as well. I’m looking at AI, right? I tend to do two things. I either go, “Wow, I’m really going to go learn this topic in detail,” or, “If I go and learn this, I’m wasting a lot of opportunity costs on other things I could be doing, I don’t know, spending time with my family, lifting weights, playing videogames, whatever.” But with AI, it’s been like, “Okay, okay, this is going to actually do something interesting in our sector, so I should really, really learn about it.”

And I know that obviously back in the day, ecommerce would’ve been a very interesting place to be with everybody getting scared, “Is this going to take our jobs? Is this going to make it direct to consumer? Is this going to be the future or are people actually going to come into the store?” Lo and behold, I still go to David Jones, even though I try stuff on there to see what brands I like and I want to understand the material and so on, but I still buy [inaudible] shoes and they don’t have physical presences from what I know. So also New Zealand brands, so big props to you there.

So moving on to another question for you. What have you found to be the most important qualities that leaders should have when they’re looking at trying to secure an organization? What kind of things set people apart?

Sheena Peeters:

I think one of the key leadership qualities, and this is security aside, I think this applies across the board, is helping connect the role that individuals play to the purpose and the strategy, so the what and the why, right? I think, in securities particularly, if you think about security as a shared problem, back to the pukeko, “With collaborating and cooperating to protect our territory,” then there are lots of individuals who are participating in that system and playing different roles or contributing in different ways. And giving them an understanding of how or what they’re doing contributes how it contributes to the bigger picture, how it plays a role in the bigger picture, I think is an incredible leadership capability to have. And I don’t think we should underestimate that and the value of that.

Cole Cornford:

Yeah, I think that people focus on technical controls or compliance activities and not really understanding, “What is your business trying to achieve?” You’re just doing things without really … There’s no inspiration for people to really want to work hard to actually solve the problem. And shared responsibility, that’s a big piece. Could you unpack how you go about doing that?

Sheena Peeters:

Yeah, look, there are multiple schools of thought, right? You and I, I think we’ve bantered around this in the past, this idea that one person or a group, a particular business function is responsible. I think that that’s a little bit traditional. If you’ve got a wide territory to protect, now you can see why I introduced you to the pukeko, then you want to bring in as many people to participate in that process and understand. So I think we start with the strategy, “What is it that we’re trying to achieve? What is important to us as a business?” Whether it’s our vision and purpose of what we’re trying to do for customers, our vision and purpose for what we’re trying to do for our employees and also how we protect them, how we protect our business, how we protect our people, and how we protect our customers, right? I think we have to have a clear strategy for that.

But then this idea that one team or one group is responsible, I think, is not a feasible way to really address the problem. It’s a shared responsibility and I think it takes all parts of the organization to come together collectively to value what is important and actually cover the blind spots or mitigate against the blind spots, right? Because you can’t cover everything. You can’t be in everything. You can’t have all the knowledge in one place. So I think, for me, that’s where that shared responsibility comes in, is, “How do we collectively come together to, one, commit to or connect to the strategy and then appreciate the purpose and the role that we all play in that?”

And for me, that’s less about just security. That should be applied to … If your organization is taking on a transformation, what’s that strategy that the organization has around it and how does everybody else understand it, commit to it and understand the role they play in it and are part of that shared purpose?

Cole Cornford:

I do see centralized security functions a lot. I guess it really depends on the scale of the organization. Sometimes, there’s one or two people and they’re the security person, team or whatever and they’re responsible for everything. And that almost always universally fails in my experience because let’s say that you have an organization of 100 people and then they decide to bring a security person on, because I find that’s around the right scale when there’s like … Otherwise, you’d just be using external agencies or outsource providers to do a specific service. You don’t really want to have a full-time employee dedicated to cyber. If you’re not at a scale where you have 100-FTE face basically, right? And that one person’s in charge of everything.

And sometimes I think it works out really well when that person decides, “I am just going to be an advocate, I’m going to go listen, I’m going to go understand what the business is trying to do, and I’m just going to help everybody else make good decisions.” Where it doesn’t work is when everybody comes to this person for approval gateways because all that they do is create a bottleneck and an incredible amount of stress on their shoulders. And as soon as the accountability entirely lies with this one individual, then your business isn’t going to be working. And I feel like it’s the same across …

It’s not just cybersecurity. I think this is why our backgrounds of running different businesses and stuff really helps us understand this to a tee because the developer is ultimately accountable for the maintainability of the code that he writes and the types of people he brings into his team and the security of the software, the experience of customers who are using these applications. There’s only one aspect, but they got shared responsibility about all of these different pieces. So I feel like taking that kind of mindset and applying it to different leadership positions within an organization. Everybody, as part of their roles, should be assuming that there are some level of accountability that they have to manage risk.

And even in my training that I provide for software engineers, I spend the first half of the day being like, “Do you know what risk is? Do you know what your business is trying to achieve?” Half the time, they say they don’t know.

Sheena Peeters:

Yeah, and what’s their role in that, right? How do they understand what their role and purpose is in that? And I agree with you, don’t get me wrong when I say this, that there are absolutely experts across that value chain, right? You’ve got your security managed service provider that could play a role. You’ve got your compliance and risk teams that play a role. You’ve got your very pivotal and important technology teams that play a role, right? But to your point, there are a whole variety of roles. And in each of those roles, there’s a responsibility and an accountability that that individual or that team has that contributes to the overall system of protection for the organization.

Cole Cornford:

Yeah. Cool. I think that was a good answer, Sheena. So good job. Cool.

Sheena Peeters:

I’m glad we’re grading because-

Cole Cornford:

Oh, yeah. I’d just tell you, that’s a bad answer. Everything sucks.

Sheena Peeters:

Yeah. Well, we’re getting rid of that one.

Cole Cornford:

So in your role or even previous roles, you’re talking about how does that shared accountability model that only really works if you have a culture where people actually recognize that they need to do it. How do you help people move in that direction and foster that kind of environment where they understand that they’re accountable for security decisions and that they’re empowered to make them?

Sheena Peeters:

Look, shared responsibility requires shared knowledge. And I think there’s a little bit in there about ways of working as well, right? So first and foremost, ways of working where accountability is embedded in them. I’ll give you an example. If you are developing a quarterly plan and everybody understands what you’re trying to deliver in the quarter and we’re all committed and prioritized to it, then as we put the cadence in on monitoring that plan, that accountability and that responsibility exists, right? So it’s like, “We’re committed to delivering this in this fortnight or in this month,” whatever your cadence is, and one, “We understand or are on track to deliver it.” Two, “We have constraints, but we are working on how to clear it to deliver it.” Three, “We don’t believe we can. We underestimated, we overestimated, but we’re working through that,” whatever the rules of the game are, as a shared team.

It’s really fascinating, I’m going to sidebar for a minute, I wanted to actually bring a whole group of people together around planning and accountability in the planning and execution. And what I realized is that it was a team of lots of different people that had been employed. There was contractors. There were partners. And it required, “Team is team,” right? Team is made up of everybody who is participating to get you to the finish line or to help you deliver that outcome. So we decided to take everyone on training. We wanted to establish ways of working that was a shared, that was something that was in context defined by the team, where the language and the definitions were understood, “So my interpretation of agile is same as yours. My interpretation of a sprint is same as yours,” or, “We have a common language around which we all communicate and connect to.”

So we all went on training. We, our partners, our contractors, our employees, everybody that was participating in coming together to establish these ways of working and to create the commitment. So I think you can foster accountability and connection to the story by making sure that you bring everybody on the journey with you. Yeah, I think let’s hypothetically say we only took our employees on the training. Suddenly, we’re trying to get an entire team of people, “Team is team, right? Team is the whole group, the flock.” Do you like it?

Cole Cornford:

I love it.

Sheena Peeters:

I’m weaving this, right?

Cole Cornford:

Hey, look, my mailing list is flock@galahcyber, so it’s all good.

Sheena Peeters:

And so if we want everybody to come together and have a culture that is committed to accountability to this common way of working, then we’ve all got to come together and have that shared knowledge. Second part is then shared knowledge is important, right? You can’t have information that is in a cupboard where five people knew about it collecting dust. We all need to understand and work from the same baseline, right? And then that [inaudible] as a culture of collaboration, cooperation, communication, so that’s my two [inaudible].

Cole Cornford:

Two things I’ve got out of there is silos and us versus them. So I know that, in a lot of organizations I’ve worked at in the past, generally we would have a security function and it would be quite adversarial with the project delivery teams a lot of time because we would perceive it as, “Why are they not able to do basic things like prevent vulnerabilities to me, introduce it into applications? Why don’t they engage security earlier? Why don’t they listen to our advice?” And you create this attitude where it’s us, the security guys versus them, the developers or them, the project teams and no one’s on the same page. They just don’t like each other. And I still see it in consulting on my day-to-day basis, right?

And one of the things that I try to do is break that down by just having a chat, turning my camera on. I know crazy. How weird is that, considering the concept of being human? That’s too much for some big enterprises. Everyone turns their cameras off. But then just listening about what are they trying to do. And if they’re like, “Oh, we’re just doing something really basic, but we have to do security,” I’m like, “No, you don’t. It’s all good. Just let it off, so I understand your business context now. Why are you here? It’s no need to, right?” And they’re appreciative and they understand that and then they start to message me in advance instead of going through the processes because it was a pleasure to work with me.

Sheena Peeters:

Yeah, yeah, absolutely.

Cole Cornford:

I feel like that delegated … Building that trust where you’re basically a trusted advisor to some different project delivery teams is the way to move forward. As a security professional, you need to really understand that you’re probably the least important part of the business because you’re not earning revenue, you’re just managing one aspect of risk.

Sheena Peeters:

Which makes their job a bit harder too, right?

Cole Cornford:

Yeah.

Sheena Peeters:

I’m a big believer that the security architects should be part of the architecture team, right? They should work alongside their architects and the developers, the designers in order to ensure that security is baked into the architecture. It’s not an afterthought. I think this is where you are going is that, “Go away and do something and come back and talk to us, the security team, and we’ll become a bit of a gatekeeper function. Yeah, we’ll tell you whether you can do that or not.” Whereas I think someone like a security architect is one of those key resources that should be part of that technology team, right? It should be part of that architecture community, working together, thinking about the role and the design of security into that architecture portfolio as opposed to it being an afterthought.

And I think there’s an example where the team is coming together to solve a problem together, bringing their different collective expertise. The architect is the architect, right? Architecture is the architecture, but it has many aspects to it. And so I think, for me, that’s a real example of that.

Cole Cornford:

Yeah, I see security architects usually falling into one of a couple of different buckets, one of which is the bank model, is how I describe it, where the architect turns up to a project and then the first question they go through is, “Do you have encryption? Are you using standard authentication, authorization patterns?” and go for their checklist. And I think that you could probably just be letting the solutions architects who are in the technology domain follow their checklist and not have a security architect employed if that’s their role because it’s very little critical thinking. They don’t get enough context because they’re swapping between all sorts of different projects and context, which in constantly and honestly, a checklist is a checklist. Anyone can follow it, right?

Whereas I like the collaborative approach of having an architect who actually is able to listen to help design and build solutions, which is a lot less common. I find it mostly occurs in tech space actually. So when you’re moving into a scale-up institution, instead of having a dedicated security engineer is just going to be implementing stuff, usually that person is multidisciplined and can listen to stakeholders about what they need to do and then provide some good advice about balancing, having a performant functional application with making sure security is embedded as well or building, establishing baseline patterns that everybody can adhere to. So I agree, I think security architecture should not be something that is just a cybersecurity function alone because they’re so intimately connected with the business.

I even argue that risk is another area. That’s a bit like that too, right? Because cybersecurity is a risk of system intrusion or a risk of data loss or a risk of downtime, something like that, right? At the end of the day, you’re basically managing risk of your data being exposed, modified or your services being offline. And so having a risk function that is segregated away from the rest of the organization’s risk function doesn’t make any sense to me, whatsoever, but we still see cybersecurity risk teams working independently of the organization’s entire business risk strategy as well.

So a couple of ways that there’s a bit of dysfunction going on there and it’s creating that, going back to the us versus them and siloed way of looking at things. Knowledge and also information sharing, it’s hard. It’s really hard, especially in a distributed world. I noticed that you said that you get people to come together to all have that shared vision. Do you know the toast thing for Agile? Have you seen that before? When I was back at the ATO nine years ago, one of the things is they sent us an agile training and then they just asked everybody to say, “Hey, how do you make toast?” And 50 people made toast in 50 different ways.

The idea is to teach people that it’s really difficult to have everybody with the same kind of vision unless you really, really nut it out. So I think that that’s especially the case when we start working with distributed teams. So I think that’s really cool that you bring folk together, and yeah, don’t create those barriers of us versus them.

Sheena Peeters:

There’s 50 different ways to cook toast, Cole?

Cole Cornford:

I don’t know. Do you put it in a frying pan?

Sheena Peeters:

No. Do you mean that still happens? Well, I can imagine if you didn’t have a toast … Well, when you’re camping, you’d do it over a fire, right?

Cole Cornford:

Yes, actually, my mother used to cook toast in our fireplace when I was a kid and she’d be like, “This tastes better than the toaster.” And I’d just assume that that is correct. But I’ll tell you, I haven’t actually cooked toast in a fire for a long time, because unlike my mother, I don’t have a fire place in my house and I’m incredibly time poor. So a toaster goes pretty well for me, but there’s a lot of ways to make toast, right? So do you butter upside, downside? How do you do it? I don’t know. So I think it’s a good mental model to look at for because something’s so simple that everybody assumes that they know how to make toast, that the people are also not able to just even come to a basic consensus about such a simple thing. Think about your digital transformation strategy and it being like, “Yeah, we’re moving to here,” and you’re like, “Okay, this is a bit more complex than toast.”

Sheena Peeters:

Yeah, and think about ways of working, right? Because we know that by defining ineffective ways of working, that is a key contributor to the success of any transformation, right? But in order to do that, everyone comes to the table with their definition of what it is or how it should be. So this is where you have to create that common shared understanding collectively, and secondly, a common shared understanding on your security strategy. “Does everybody know what the organization has decided? Is there strategic strategy around security? What is it that we value? What are we protecting, right? Are all the people that are playing a role in it clear about that?” Otherwise, to your point, some people are cooking toast over a fire.

Cole Cornford:

And everybody else is using toasters and actually cooking toast at scale and high velocity toast engineering, but we’re all sitting here just being like, “Yup, this is the best toast. It took me an entire waterfall process to get to.”

Sheena Peeters:

And some people are like, “No, I have crumpet.”

Cole Cornford:

Just entirely different models, so they can … I like crumpets. I haven’t had crumpets. I need to go fix them up sometime. I forget that they exist because I just go straight to the waffles, so I can force my daughter to actually eat breakfast for once. So I’ve got another question for you to ask, along the same line, because you did mention that one of the things is you have to make investments and decisions around where you’re going to be spending your resources and there’s opportunity cost to be investing in cybersecurity. What kind of strategies do you employ as the head of product and technology to help make those kind of decisions?

Sheena Peeters:

Oh, that’s a big question. You like to ask-

Cole Cornford:

You just ask Cole, right? You just ask Cole.

Sheena Peeters:

That’s right. “I’m Cole. Cole.” Okay, first and foremost, I think I’m going to sound a bit like a broken record actually, but I think muscle memory, right? The more we repeat the same thing, the more we’re all going to build our muscle memory. You have to have a clear strategy. And in cyber, that strategy needs to be associated with the business strategy, right? They’re not different. They are supportive of each other. So it’s important to understand what the organization is trying to do. No point in having a really extensive cybersecurity strategy around digital if your organization is not embarking in a digital program or exploring or embracing a digital service as a part of its key business strategy, right?

So that’s a rudimentary example and particularly for the year 2023. I’m assuming most people are embarking on a digital strategy, but you get where I’m going, right? So for me, it’s having a clear strategy about what it is that you’re looking to achieve and it’s got to be measurable like a business strategy. A three-year business strategy has certain types of key strategic pillars that we want to achieve, that we have a line of sight on, that have outcomes. That security strategy then has to be reflective of the business strategy of what the business is trying to do. So I think that then drives your initiatives and your prioritization. So then you can really question, “Hang on a second, why are we doing this other random thing over here when this is the strategic direction that we’ve agreed to and that we’re committed to?”

That said though, you need ways of working embedded in there in order to be able to flex and pivot because organizations flex and pivot, right? So you’ve got to find a way to flex and pivot as well. And cyber things change so quickly, like in business, in digital and same thing as you probably well aware, Cole, every day, your world is changing really rapidly.

So this ability to be focused, but also to have the ability to flex and pivot within that I think is really critical. And all of your funding and prioritization needs to be measured against that. So if you understand what it is you’re trying to achieve, you have a plan for how you’re going to achieve it, then it’s important to then measure and prioritize accordingly. One more thing, compliance is not a strategy.

Cole Cornford:

I’m glad that you say that. The amount of times where I’ve had a customer come to me and say, “I need a pen test,” and then I say, “Why?” And they’re like, “I just need one,” and I’m like, “Okay,” or, “I need 27,001,” and then the immediate answer back to them is, “Why do you need 27,001?” And almost always, I end up convincing them that it’s not a good idea unless there’s a strong value proposition. I think that most security, it’s rarely an investment. It’s a way to manage a risk. The only time it’s an investment is where it actively helps your business to earn more revenue. And the scenarios where I see that happen is where you’re trying to get access to a market that you otherwise can’t participate in without having the regulatory frameworks in place to show that you’re allowed to be there.

So if you’re in defense, you need to be DISPed and FedRAMPed and so on. If you’re in healthcare, you need whatever the healthcare in Australia kind of ones are, I don’t remember if it’s HIPAA or something. And look, if 27,001 or SOC 2 get you the ability to get access to a couple of things, then sure, go for it. But if you’re a startup, a scale up and you’re looking to invest in your product, there’s a real opportunity cost, or at least, you can extend your runway by just saying, “I’m not going to be doing cybersecurity.” And so a lot of the places that I work with, I basically say, “Do these kind of things because they’re negligible as far as an expense goes. You’re still managing risk, but you don’t need a CASB, you don’t need a SIM, you don’t need a full DevSecOps program because you’re just trying to get product market fit, right? You don’t need to get that.”

And measuring, measuring’s hard in cybersecurity, I don’t know. Do you have any strategies for how you would measure ROI? Because I’ve got a few ideas myself, but I’d love to hear from you.

Sheena Peeters:

So look, measuring’s hard, right? Because unfortunately, you realize the value when something bad happens. You’re like, “Okay, we told you so, right? Well, you don’t never want to be there, to be honest with you.” Before … I just want to close out on the compliance thing, right?

Cole Cornford:

Yeah.

Sheena Peeters:

Compliance is an important part of your organization, doing the things that organizations shouldn’t do, right? The right things for the organization, for the industry they’re in, for the customers and the people that they serve. It is a part of the strategy. It is not the strategy. And I think that, often, I do get disappointed when I hear that sometimes our whole mechanism around cyber is that we’re ticking boxes. Oh, yup, yup, we did that. We did that patch tick. We did that thing, right?

Whereas rather I’d love to say that we’re in a place where cybersecurity is embedded as a part of our ways of working, our everyday thinking, right? And to your point, because risk management is a part of our everyday business, it’s the right thing to do to take care of our people, our customers, our organization. And so it should be baked in as what we stand for. If you think about, a lot of organizations are really embracing sustainability as a critical part of their organization. Keeping your customers safe, keeping your business safe, keeping your people safe is also a critical part of that as well. And so I don’t think any strategy starts from, “Oh, we’ve got to meet this compliance obligation, so let’s just do that thing. Yeah.”

Cole Cornford:

Yeah. Our entire business is reliant on making sure that we are Essential Eight compliant. Otherwise, we can’t make money. I have the same thing when I’m like, “Oh, do you need a website?” or it’s like, “Probably not actually. You can make money without having a website.” And they’re like, “Oh, but I need a website.” It’s like, “No, not really. Just talk to people. You don’t need a website.” Is a website going to help you get more business? Maybe, but you don’t need to put the bill and it’s the same with compliance activities, for example. I love to hear that perspective. I see way too many people focusing on compliance for compliance’s sake without meaningfully considering, “Does this actually help reduce risk or improve access to revenue?” So-

Sheena Peeters:

Now back to your return on investment or measurable outcomes. So again, this is not just cyber specific and I do recognize there’s this statement that says, “The only time that anybody appreciates cyber investment is when something bad happens.” That’s like also saying, “The only time you appreciate a digital transformation is if you have your Kodak moment,” right? We know that part of our strategic value proposition of being an organization is to be prepared. To be prepared to compete in market, right? To be prepared to grow our organization. To be prepared to secure and have trust and mitigate risk. They’re the functions of our business.

But where measurement comes is when you have a strategy and you’ve decided what it is that’s really important to you, then measurement is about, “Am I investing in the things that drive me to that strategy?” And so, “I’ve invested in this project. I invested in this thing.” So let’s use and say, I don’t know, CASB for one of a better word. “This was my strategy. Here’s why I’ve decided to prioritize funding and resources for our CASB. And actually, here’s the outcome, right? Here’s the change that I can see. Maybe it’s about protecting our people from the unknown of accessing things in the internet that they were not aware of.

If you’re investing in phishing, you can actually measure security awareness and security training. “Can I see a change in the behaviors of my organization because I’ve invested in security training, security awareness in uplifting the organization’s capability around identifying phishing and being far more aware of it? Can I see a change in behaviors when I invest in automation that free people to focus on the things that they’re doing and give me a level of coverage around my blind spots? Do I feel like I’m mitigating?” So I think you don’t have to wait until they have a security incident to say, “See, actually, we told you this is working. I’m clear about my strategy. I understand what it is I’m trying to do. I’m making choices about prioritizing what I’m working on and I can demonstrate there’s a change in behavior. There’s a change in,” whatever it is that you’re looking for.

So I think you can measure your trajectory along the way. And maybe you can tell me this, Cole, doing nothing is not an option. We can’t just stick our head in the sand, right? And that’s the same in all parts of organization, right? Growing your business, being aware of the market that you’re in, being aware what your competitors are doing, creating a strategy for competition. You can’t go, “Oh, well, I’m just going to stick my head in the sand and ignore all that.” That’s the same with cybersecurity, right?

Cole Cornford:

Yeah, if you’re not participating and you get smashed, then it’s like, “What am I doing? Why is that happening?” right? So it’s something that I commonly see when people are asking me. It’s like, “Where do I first put my money?” and the question is, “Well, what do you actually care about?” And then it’s like, “Okay, I care about these things.” It’s like, “Well, what can we measure against those things to help you out?” And sometimes it’s something like the time to detect that a vulnerability is there or how long it’s taken a development team to actually respond to vulnerabilities that are identified, the amount of coverage of applications that actually matter to your business or just how you’re benchmarking against your peers in the same sector.

Because everyone knows the story of, “What’s the best way to run away from an angry bear? To be faster than the next guy, right?” So all of these are I feel like good ways to just take points of time and then be able to say that, “At this point in time, we’ve been trending in these directions,” and then you can actually markedly demonstrate how much of an ROI you’re getting for that activity, right?

Sheena Peeters:

Yeah.

Cole Cornford:

Cool. All right, we’re going to move on to the fast questions. Ooh, I know there’s so much-

Sheena Peeters:

Fast questions.

Cole Cornford:

Fast questions, yes. Here we go.

Sheena Peeters:

Oh, I don’t know if I was prepared for fast questions.

Cole Cornford:

No, no, no. All right. So straight, first thing that comes to mind for each of these, all right?

Sheena Peeters:

Okay.

Cole Cornford:

All right. Best purchase under $100.

Sheena Peeters:

Okay, so my French Connection leather white sneakers, I’ll tell you why. They were like $99 and then they got reduced to $79. And then by the time I encountered them, there were 36. I don’t know how they figured this stuff out in the reduction process, but anyway, I picked them up for $36, Cole, because I’ve got small feet and nobody else wanted them. These shoes honestly go everywhere. They go with suits, they go with skirts, they go with jeans. You can wear them too for school pickup. I wore them all through Vietnam, all my travels. I think it’s going to be a sad day when I have to let them go.

Cole Cornford:

Oh, no. Look, I love French Connection because I take my wife there quite regularly actually and I guess, when I was a lot younger, I used-

Sheena Peeters:

There was no brand promotion here. Sorry, I interrupted.

Cole Cornford:

Yeah, look, Galah Cyber’s Secured podcast by the French connection. So-

Sheena Peeters:

Sorry, carry on.

Cole Cornford:

It’s all good. So I do like it. It’s a good high-quality fashion store and my wife loves it. I bought her a cardigan from there ages ago and she’s wearing it constantly it at the moment because it’s freezing up where I’m at. And I imagine it’s a lot worse than Melbourne, but Newcastle’s still pretty bad mornings. Oh, dear. Hey, best book and why?

Sheena Peeters:

Oh, wow, that’s really hard, Cole. Oh, I don’t know if I have a best book. I’m not a favorite music, favorite movie kind of girl, but I’ll go tell me my current book and movie.

Cole Cornford:

That’s a good way.

Sheena Peeters:

So I was reading Phil Knight’s book, Shoe Dog. I don’t know if you’ve come across it.

Cole Cornford:

Is this the Nike [inaudible]?

Sheena Peeters:

Yeah, yeah. Great story, right? Great book. Actually, I’m reading it twice because the first time I read it was on an airplane and I feel like I snoozed through half of it, as you do on long whole flights. So I read it again and then I was feeling pretty chuffed with myself because I took my kids to see the movie Air. Now my kid, when I say kids, mine are older. And so we went to see the movie Air in the cinemas. So the part about feeling chuffed with myself is I could whisper to them and say, “Oh, is this why he’s called the Shoe Dog?” Because, of course, I’d read the book, right? And I could give them little tidbits in the cinema as this movie played out, despite the fact that the movie is 1980s, Cole. I felt very much in my world here, being a ’70s, ’80s kid that I was, tape decks, orange jumpers.

Cole Cornford:

Look, it’s foreign to me, but I also love it. So I guess I had some nostalgia when some Cat Stevens played on the Coles Radio. And I was like, “Oh, I remember the days of the old school yard.” I’m like, “Yeah, I used to cry a lot.”

Sheena Peeters:

But the bit that I really love about the book is that it’s just like he had this thing, he used to say, “Oh, no, yeah, it’s my big crazy idea,” and he really believed in it and went for it. But then there’s this part in the movie where it’s a bit of an established brand and they’re trying to take some risks, but there’s this moment where Phil Knight hesitates. He’s like, “Hang on, I don’t want to take that risk. It feels too risky,” and he gets to this point where he’s like, “Just do it. Just go and do it,” right? And he reflects on how good it felt because that’s how he built his business and how good it felt to just be able to take that risk and how quickly you can become more constrained and how you start to try and line up more conditions that need to be met before you’re prepared to take that risk, whereas it’s the very risk that he took that helped him go build that business to begin with. So yeah, there you go.

Cole Cornford:

Have you heard of the concept of yak shaving before?

Sheena Peeters:

Oh, no. Should I know this? I feel like I’ve heard this before.

Cole Cornford:

No, but it’s a good software engineering joke basically, but I don’t know, I can’t remember the exact story, but basically, it’s something like you need to change a light bulb, but you need a ladder, but your ladder’s broken, so you need to go to the Bunnings. So you go to Bunnings, but you don’t have your credit card and you go to your neighbors or something. And your neighbor says, “I’ll let you borrow my ladder, but you need to give back that pillow, but your dog broke open the pillow. So now you need to go get yourself some yak hair to actually fill the pillow, so you can change the light bulb, right?” So the idea is that you’re doing an endless stream of tasks putting off the thing that you actually need to be doing.

Sheena Peeters:

Yeah, I love it.

Cole Cornford:

I see that all the time with people wanting to start businesses or try to do something in their life. For myself, really I just need to get into a gym and lift or pick one weight up and put it down and I feel like that is a lot better than, “Here is a 12-day routine and a diet and [inaudible] to an exercise physiologist,” and doing all of these other activities before actually going and doing the one that actually matters. But yeah, I encourage everybody to just go try stuff out. A lot of the things that you think in your head are incredibly risky are not as severe as you would think. What was the worst … You think about the absolute worst thing that could possibly happen if you start a business and the general idea is that, “Well, it goes bust, but you can just find a full-time role pretty quickly and probably be better qualified to compared to most people who haven’t done that, right?”

Sheena Peeters:

Yeah, but we have a fear of this idea, “Well, what if I fail? What if it didn’t work out?” But there’s a little bit to be said about erring on the side of optimism, “What if it does work out?”

Cole Cornford:

“What if it does work? Oh, I could pay the mortgage off. I have a lot of good friends.”

Sheena Peeters:

Yeah, but what if we learned something, right? What if we took that step or made that choice? And actually, it wasn’t what I expected, but I actually learned something on that path.

Cole Cornford:

Yeah. Well, rather than be fearful, let’s be optimistic moving into the future. Thank you so much, Sheena. It’s been an absolute pleasure to have you on. One parting question for you, if you’ve got any advice for our audience about the one thing they could do to stay secured, what is it?

Sheena Peeters:

Oh, wow. Collaborate and cooperate. Be part of a team. This is a team sport. Yeah, you need all the superpowers. I don’t know, whether you’re a Marvel or Justice League fan. I leave you with Justice League, right? Justice League has everybody there. All of the superpowers come together to defend the world, Cole, and I think that’s what I want to leave behind, is it’s a shared responsibility and it requires all of the different parts of our organization to come together.

Cole Cornford:

All right. Find your Batman, your Green Lantern, your Superman and bring them all together and build the best cyber team ever. Thanks so much, Sheena, for coming on. It’s been an absolute pleasure.

Sheena Peeters:

Excellent. Thank you.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high-quality apps and contents straight to your mailbox. Stay safe, stay secured. I’ll see you next episode